From 102d6554cdc2acb8242f6d49a608d9d616407520 Mon Sep 17 00:00:00 2001
From: krishna sindhur <krishnasindhur@gmail.com>
Date: Sun, 1 Dec 2024 23:23:18 +0530
Subject: [PATCH 1/3] add: enable webhook patching with flag

Signed-off-by: krishna sindhur <krishnasindhur@gmail.com>
---
 cmd/operator/main.go                    |  3 +++
 pkg/certificates/certificate_manager.go | 25 ++++++++++++++++---------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/cmd/operator/main.go b/cmd/operator/main.go
index dd1dc656f28..1bdaed01954 100644
--- a/cmd/operator/main.go
+++ b/cmd/operator/main.go
@@ -85,6 +85,7 @@ func main() {
 	var enableCertRotation bool
 	var validatingWebhookName string
 	var caDirs []string
+	var enableWebhookPatching bool
 	pflag.BoolVar(&enablePrometheusMetrics, "enable-prometheus-metrics", true, "Enable the prometheus metric of keda-operator.")
 	pflag.BoolVar(&enableOpenTelemetryMetrics, "enable-opentelemetry-metrics", false, "Enable the opentelemetry metric of keda-operator.")
 	pflag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the prometheus metric endpoint binds to.")
@@ -107,6 +108,7 @@ func main() {
 	pflag.BoolVar(&enableCertRotation, "enable-cert-rotation", false, "enable automatic generation and rotation of TLS certificates/keys")
 	pflag.StringVar(&validatingWebhookName, "validating-webhook-name", "keda-admission", "ValidatingWebhookConfiguration name. Defaults to keda-admission")
 	pflag.StringArrayVar(&caDirs, "ca-dir", []string{"/custom/ca"}, "Directory with CA certificates for scalers to authenticate TLS connections. Can be specified multiple times. Defaults to /custom/ca")
+	pflag.BoolVar(&enableWebhookPatching, "enable-webhook-patching", true, "Enable patching of webhook resources. Defaults to true.")
 	opts := zap.Options{}
 	opts.BindFlags(flag.CommandLine)
 	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
@@ -305,6 +307,7 @@ func main() {
 			APIServiceName:        "v1beta1.external.metrics.k8s.io",
 			Logger:                setupLog,
 			Ready:                 certReady,
+			EnableWebhookPatching: enableWebhookPatching,
 		}
 		if err := certManager.AddCertificateRotation(ctx, mgr); err != nil {
 			setupLog.Error(err, "unable to set up cert rotation")
diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go
index abd4e5e806d..4c26ad59a0e 100644
--- a/pkg/certificates/certificate_manager.go
+++ b/pkg/certificates/certificate_manager.go
@@ -50,19 +50,26 @@ type CertManager struct {
 	APIServiceName        string
 	Logger                logr.Logger
 	Ready                 chan struct{}
+	EnableWebhookPatching bool
 }
 
 // AddCertificateRotation registers all needed services to generate the certificates and patches needed resources with the caBundle
 func (cm CertManager) AddCertificateRotation(ctx context.Context, mgr manager.Manager) error {
-	var rotatorHooks = []rotator.WebhookInfo{
-		{
-			Name: cm.ValidatingWebhookName,
-			Type: rotator.Validating,
-		},
-		{
-			Name: cm.APIServiceName,
-			Type: rotator.APIService,
-		},
+	var rotatorHooks []rotator.WebhookInfo
+
+	if cm.EnableWebhookPatching {
+		rotatorHooks = []rotator.WebhookInfo{
+			{
+				Name: cm.ValidatingWebhookName,
+				Type: rotator.Validating,
+			},
+			{
+				Name: cm.APIServiceName,
+				Type: rotator.APIService,
+			},
+		}
+	} else {
+		cm.Logger.V(1).Info("Webhook patching is disabled, skipping webhook certificates")
 	}
 
 	err := cm.ensureSecret(ctx, mgr, cm.SecretName)

From c0381154acf6ccfa347dea9977727d02a9db014d Mon Sep 17 00:00:00 2001
From: krishna sindhur <krishnasindhur@gmail.com>
Date: Mon, 2 Dec 2024 17:27:30 +0530
Subject: [PATCH 2/3] update: should enable/disable only the webhook

Signed-off-by: krishna sindhur <krishnasindhur@gmail.com>
---
 CHANGELOG.md                            |  1 +
 pkg/certificates/certificate_manager.go | 17 +++++++++--------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 52538a16f71..afc6a31e8b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -136,6 +136,7 @@ New deprecation(s):
 - **AWS SQS Scaler**: Improve error handling for SQS queue metrics ([#6178](https://github.com/kedacore/keda/issues/6178))
 - **Azure Event Hub Scaler**: Checkpointer errors are correctly handled ([#6084](https://github.com/kedacore/keda/issues/6084))
 - **Metrics API Scaler**: Prometheus metrics can have multiple labels ([#6077](https://github.com/kedacore/keda/issues/6077))
+- **Operator Webhook Flag**: Enable patching of webhook resources. ([#6184](https://github.com/kedacore/keda/issues/6184))
 
 ### Deprecations
 
diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go
index 4c26ad59a0e..5f8f9630ff8 100644
--- a/pkg/certificates/certificate_manager.go
+++ b/pkg/certificates/certificate_manager.go
@@ -55,19 +55,20 @@ type CertManager struct {
 
 // AddCertificateRotation registers all needed services to generate the certificates and patches needed resources with the caBundle
 func (cm CertManager) AddCertificateRotation(ctx context.Context, mgr manager.Manager) error {
-	var rotatorHooks []rotator.WebhookInfo
+	rotatorHooks := []rotator.WebhookInfo{
+		{
+			Name: cm.APIServiceName,
+			Type: rotator.APIService,
+		},
+	}
 
 	if cm.EnableWebhookPatching {
-		rotatorHooks = []rotator.WebhookInfo{
-			{
+		rotatorHooks = append(rotatorHooks,
+			rotator.WebhookInfo{
 				Name: cm.ValidatingWebhookName,
 				Type: rotator.Validating,
 			},
-			{
-				Name: cm.APIServiceName,
-				Type: rotator.APIService,
-			},
-		}
+		)
 	} else {
 		cm.Logger.V(1).Info("Webhook patching is disabled, skipping webhook certificates")
 	}

From bcbcb6eae60aea238180ba3cb2ebe3072a57c3e4 Mon Sep 17 00:00:00 2001
From: Jan Wozniak <wozniak.jan@gmail.com>
Date: Mon, 2 Dec 2024 19:24:12 +0100
Subject: [PATCH 3/3] changelog: put webhook patching flag to 'New' section

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index afc6a31e8b8..e80e368c0e5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -60,6 +60,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 
 - **General**: Enable OpenSSF Scorecard to enhance security practices across the project ([#5913](https://github.com/kedacore/keda/issues/5913))
 - **General**: Introduce new NSQ scaler ([#3281](https://github.com/kedacore/keda/issues/3281))
+- **General**: Operator flag to control patching of webhook resources certificates ([#6184](https://github.com/kedacore/keda/issues/6184))
 
 #### Experimental
 
@@ -136,7 +137,6 @@ New deprecation(s):
 - **AWS SQS Scaler**: Improve error handling for SQS queue metrics ([#6178](https://github.com/kedacore/keda/issues/6178))
 - **Azure Event Hub Scaler**: Checkpointer errors are correctly handled ([#6084](https://github.com/kedacore/keda/issues/6084))
 - **Metrics API Scaler**: Prometheus metrics can have multiple labels ([#6077](https://github.com/kedacore/keda/issues/6077))
-- **Operator Webhook Flag**: Enable patching of webhook resources. ([#6184](https://github.com/kedacore/keda/issues/6184))
 
 ### Deprecations